bastion-firewall Info

bastion-firewall is a firewall based in Netfilter e iptables, it runs under any version of Linux with the kernel 2.4 or higher and it's characteristics are:

• Developed by bgSEC (http://www.bgsec.com) and Jose María López Hernández (jkerouac@bgsec.com) and distributed under the GPL license.
• Programmed in bash (99 per cent of the code) and C. This makes the firewall very flexible and easy to modify. About 26000 lines of bash code and C that provides a very high funcionality, implementing almost all the kernel protections, included the ones that modifies the /proc filesystem and the ones from the Netfilter/iptables system.

• Based on the Netfilter and Iptables facilities supplied by almost all the Linux distribution and the official kernel. The firewall doesn't use any strange code or programmed facilities, so the orders it uses are iptables commands like any user script does, but without having to write a single line of code.
• The system doesn't use perl, python, ruby or commands that can be used by a supposed hacker as working tools after a system compromise.  bastion-firewall can run in a very reduced distribution, in text mode and with a minimum number of installed packages.
• The administration of the firewall is based on plain text files that are treated as bash code, allowing the user to put bash code into the configuration files to generate the values for the variables.
• Web based administration using bastion-firewall-interface (THIS FUNCIONALITY IS NOT WORKING AT THIS TIME) that modifies the configuration files, allowing the administrator to do a mixed configuration, editing some things with the interface and then touching some other things if it's necessary in the configuration files.
• Configuration files fully commented and with help for each variable that can alter the firewall. The files explain by themselfs and includes documentation about the firewall functioning. In theory just with this documentations should be enough to configure the firewall and all it's options, without reading a single line of documentation.
• Web based traffic statistical system that contains graphics of the traffic in the firewall generated by rrdtool. This graphics are automatically generated just including a command in the firewall configuration files or an option in each of the services or group of services that we want to obtain graphics from. Automatic generation of a web page that allows us to watch the statistical graphics in an easy way.
• Traffic division system and grouping and ordering of the rules, services and protocols to obtain the maximum speed in the Netfilter treatment of the rules. The idea is Netfilter has the mimum number of rules to check, and the rules that are generated for a service and has more than one port are grouped in one single command.
• Configuration files ready to be modified with local code by the administrator in strategical points in the firewall rules loading, this systems allows us to modify the firewall withouth having to edit the code.
• Possibility of writing plugins in a very simple manner to add funcionality to the firewall. The firewall detects the new plugins and the rules are integrated with the ones from the firewall. This is a very easy and powerful way of adding code to bastion-firewall.
• Uses external programs and addons in an standard way, without modifying the code, allowing the addons to be updated or substituted by other in a very easy way.
• It works in systems and distributions with a minimum of command, it basically uses bash, the standard unix command of Linux and it includes rrdtool and ulogd in the distribution, so you don't have to install them in your system.
• Blacklist system to block in a permanent way IP addresses. Whitelist system to allow the addresses we never want to block. It has commands to administer both lists and this commands can be used in an IDS or IPS to block supposed attackers without the danger of having a denegation of service attack.
• Blacklist and Whitelist system for MAC addresses. It's similar to the blacklist/whitelist system for IP addresses.
• Restricted MAC system that allows us to choose the machines that can talk with the firewall and the ones that can't, in the local network and in the external network (useful for DMZ).
• Possibility of using IP lists in any place where we normally have an IP address in the config files. bastion-firewall will expand the IP list and will generate the rules for each IP.
• Possibility of creating new services, groups of services and groups of networks, it allows us to manage the firewall just by editing a minimum number of variables.
• MD5 system to detect changes in the configuration. This allows the firewall to choose between regenerating the rules or loading the ones in the cache system if the configuration has not been modified since the last firewall reset.
• Double philosophy of working with the firewall, the first one using traffic flows to block or allow the traffic, and the second one using lists where the rules can be specified.
• It allows to specify the traffic flow for each service in the inner and outer interfaces and the IPs in the local network and the remote network. It can write the connections in the logs, pass them to ulogd and if we want the firewall can generate statistics for the service.
• The administrator can add new services or groups of services using commands in an easy way, and then specify the rules for this services or groups. It's not needed to touch the code to add new services to the firewall, and even a command exists to add a list of services contained in a file to the firewall, allowing us to add a big number of new services to the configuration files.
• It allows us to use the pom (Patch-o-matic) facilities included with iptables.
• Protects the systems against attacks to the kernel, spoofing, denegation of service attacks, log flooding attacks, port scannings, etc.
• Possibility of specify how we want to reject or accept the packets. Uses REJECT or DROP as specified by the administrator.
• It creates a script each time the rules are regenerated that contains ALL the commands the firewall has run, with the ones to activate the kernel protections and the iptables commands the firewall has used to generate the rules. This script can be executed and it has the same effect over the system that loading the firewall. The script includes commentaries for each order it executes and for the services it allows or blocks. This script allows us to use bastion-firewall as a powerful script generator, and this scripts are firewalls by themselfs, allowing the administrator to generate ad-hoc firewall to specific systems just altering some variables in the configuration files. This is one of the more powerful and userful characteristics of bastion-firewall.
• Generation of logs with the firewall running and warnings with the start and stop of the firewall and for the addons.
• Detection and block of new traffic without a SYN, fragments of traffic, traffic marked as invalid by the conntrack system or spoofed traffic.
• It allows us to send for example the HTTP traffic we have decided to accept to snort-inline so this program inspects it and decides if the firewall should block it or accept it. This is a quite efficent form of IPS and quite secure if we mantain the snort-inline rules to the minimum. The advantage of using this method is that snort-inline can treat the HTTP traffic completely before checking it with the rules and sending back to the firewall the accept or deny order.
• It allows the system to use ulogd to send the logs to a database as mysql or postgresql, or any other kind of logs that can be treated with swatch or similar programs.
• Complete treatment of the ICMP traffic with a default configuration. Possibility of using ICMP messages with conntrack to reject traffic or not.
• It allows to generate rules with lists using all the facilities of the firewall, as IP address groups or groups of services in the firewall. This lists of rules has precedence over the rest of the rules in the firewall and allows us to adjust the firewall if we have some networks we want to treat in a different way than the others.
• Transparent proxy funcionality, NAT, SNAT, DNAT o REDIRECT using lists and configuration files. For each of the services an internal server in the local network can be indicated to provide services to the exterior using DNAT, you just have to put the IP of the server in the service and the firewall generates the rules.
• It works without modification in the 2.4 and 2.6 versions of the Linux kernel.
• When the firewall is loading and if it has to regenerate the rules it checks that all the commands are available and the correctness of all the IPs, groups and lists included in the configuration files. It also checks if the rules have a correct syntax and it can generate error giving help about where and how the error was produced, to help the administrator to find the error in the variables.
• It allows us to use ranks and lists of IPs, expanding them to IP addresses, because iptables doesn't work with ranks of IPs.
• bastion-firewall can work with any number of interfaces in the inner and outer connections, bearing in mind the routes have to be correct between this interfaces and the networks they connect to. This allows us for example to have several connections with several ADSL/DSL routers from a LAN and specify the rules for all the traffic that will go out of the network or into the network. It can be used the command ip from the iproute2 system to enable the routes between the LAN and the interfaces connecting the LAN to the routers.